Date: Tue, 23 Sep 2008 06:46:41 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: David Allen <the.real.david.allen@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans Message-ID: <48D882C1.2050206@infracaninophile.co.uk> In-Reply-To: <2daa8b4e0809221512o5c85d286qb8da358fb9d5ee66@mail.gmail.com> References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <20080922200121.289abdcb.ghirai@ghirai.com> <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> <48D80D54.8060802@infracaninophile.co.uk> <2daa8b4e0809221512o5c85d286qb8da358fb9d5ee66@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigED83FD2BDE2E51809F05A291
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
David Allen wrote:
> On 9/22/08, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote:
=20
>> Also consider the following sysctls:
>>
>> # Blackhole packets to ports without listeners
>> net.inet.tcp.blackhole=3D1
>> net.inet.udp.blackhole=3D1
>>
>> although these will be redundant if your firewalling is effective.
>=20
> I wonder, though, would using a block-policy setting of return (which
> I'm currently using) render the above redundant, or would the above
> take precedence? I'll have to add that to the list of Stuff to Check.
Yes. If the firewall disposes of the packet via a block rule, then
those sysctls will not have any effect. The firewall can either drop the=
packet or send an ICMP port unreachable message according to how it is c=
onfigured.
If the firewall passes the packet then either it is dealt with by a
program listening on the appropriate port, or the network stack itself
will generate an ICMP message (by default) or else just drop the packet
if the blackhole sysctls are enabled.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigED83FD2BDE2E51809F05A291
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkjYgsYACgkQ8Mjk52CukIym4ACffsmC7JUhOyQ5u/PZBjXcQD7R
+/QAnRx/MJpjTP1s2RxzjQv1dxEp63rN
=9R+/
-----END PGP SIGNATURE-----
--------------enigED83FD2BDE2E51809F05A291--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D882C1.2050206>